Ledger to Disable Blind Signing on Dapps by June 2024

Hardware wallet manufacturer Ledger will disable blind signing for EVM decentralized applications (dapps) by June 2024, following an exploit in which a wallet drainer was added to a library used by many developers to connect to its devices.

In a tweet, Ledger said that around $600,000 in crypto assets were stolen during the exploit. It announced that affected victims would be "made whole" and that it would "no longer allow Blind Signing with Ledger devices by June 2024.

Blind signing involves the display of raw smart contract signing data that can be parsed by computers but is incomprehensible to a human reader. Ledger has previously advocated for a "what you see is what you sign" approach known as clear signing, in which smart contract signing is parsed in a human-readable manner.

In its announcement, Ledger stated that its move to sunset blind signing would "lead to a new standard to protect users and encourage Clear Signing across DApps," and encouraged dapp developers to support clear signing.

In last week's exploit, a malicious version of the Ledger Connect Kit, a library that enables Ledger devices to connect with dapps, was identified by developers on Twitter. Web3 security firm BlockAid reported that, "The attacker injected a wallet draining payload" into the ledgerconnect kit's NPM package," enabling them to drain the funds of users who signed on dapps including Sushi.com and Hey.xyz.

Software wallet developer MetaMask warned users to "stop using dapps" after news of the attack broke.

In a follow-up post, Ledger confirmed that the attack took place as a result of a former employee falling victim to a phishing attack. The attacker was able to gain access to the former employee's NPMJS account, a JavaScript package manager, enabling them to push a malicious version of the Ledger Connect Kit. The malicious Connect Kit then rerouted user funds from any wallet connecting to a dapp using it, to the hacker's own wallet.

Ledger stated that a fix was deployed within 40 minutes of the firm's security teams being alerted, and has pushed a new version of the Connect Kit (1.1.8). Ledger devices themselves, and the firm's Ledger Live app, were not compromised by the exploit, it added.

How a Single Phishing Link Unleashed Chaos on Crypto

Crypto wallet manufacturer Ledger has confirmed an exploit that led it to warn users to “stop using dapps” started because a former employee fell for a phishing scam. The former employee’s name and email address showed up in the compromised code. Initially the crypto community took it to mean that the developer himself was responsible for the exploit, but Ledger later confirmed the attack began because “a former Ledger employee fell victim to a phishing attack.” The attacker was able to gain acc...

The firm has previously faced criticism over its security. In 2020 a Ledger customer email database was hacked, with over a million user emails compromised, while earlier this year Ledger's voluntary ID-based Recover service was dubbed a "backdoor" by users. Ledger's co-founder Éric Larchevêque described the rollout of the Recover service as, "a total PR failure, but absolutely not a technical one."

Edited by Stacy Elliott.